4.7 Identify key elements in an intrusion from a given PCAP file

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

In the Cisco Certified CyberOps Associate (200-201 CBROPS) exam, you must be able to analyze a PCAP file and identify important network communication details that may indicate an intrusion. One of the important elements you must recognize is the source port.

Understanding the source port helps analysts determine which application initiated the communication, how the connection was created, and whether the activity is normal or suspicious.

1. What Is a Source Port?

A source port is the port number used by the device that starts a network connection.

In network communication, each packet contains:

Source IP address – the system sending the packet
Destination IP address – the system receiving the packet
Source port – the port used by the sender
Destination port – the port used by the receiving service

The source port identifies the sending process or application on the source device.

Example Packet Information

Field	Example Value
Source IP	192.168.1.25
Source Port	49832
Destination IP	10.10.5.20
Destination Port	80

This means:

A client device 192.168.1.25
Using source port 49832
Is connecting to web service port 80

2. Why Source Ports Exist

A computer may run many network connections at the same time. The operating system uses port numbers to keep track of each connection.

The source port allows the system to:

Identify the specific application or process sending the traffic
Track multiple simultaneous network sessions
Ensure responses return to the correct application

Without ports, the operating system would not know which application should receive the returning data.

3. Source Ports in the TCP/IP Communication Process

When a client starts a connection:

The client chooses a source port number
The packet is sent to the server’s destination port
The server responds using:
- Source port = server service port
- Destination port = client source port

Example: HTTP Connection

Client device sends request:

Field	Value
Source IP	192.168.1.10
Source Port	51544
Destination IP	172.16.1.20
Destination Port	80

Server response:

Field	Value
Source IP	172.16.1.20
Source Port	80
Destination IP	192.168.1.10
Destination Port	51544

The source port becomes the return destination port so the correct application receives the response.

4. Types of Port Numbers

Port numbers range from 0 to 65535 and are divided into categories.

1. Well-Known Ports (0–1023)

Used by common services.

Examples:

Port	Service
80	HTTP
443	HTTPS
22	SSH
21	FTP
25	SMTP

These ports usually appear as destination ports, not source ports.

2. Registered Ports (1024–49151)

Used by specific applications or vendor software.

Examples:

Port	Service
3306	MySQL
3389	Remote Desktop
8080	Alternative HTTP

Sometimes these appear as source ports depending on the application.

3. Dynamic / Ephemeral Ports (49152–65535)

These are temporary ports automatically assigned by the operating system.

Most client connections use these ports as source ports.

Example:

A workstation connecting to a web server might use:

Source port 52341
Destination port 443

5. Where Source Ports Appear in a PCAP File

When analyzing a PCAP file using Wireshark, the source port appears in the packet details section.

Location depends on the protocol:

TCP Packet

Transmission Control Protocol
Source Port: 51544
Destination Port: 80

UDP Packet

User Datagram Protocol
Source Port: 62001
Destination Port: 53

Wireshark may also display ports in the packet list column.

Example display:

192.168.1.10:51544 → 10.10.10.20:80

6. Why Source Ports Are Important in Intrusion Analysis

Security analysts examine source ports to understand:

Who initiated communication
Which applications may be involved
Whether traffic patterns are abnormal

Source ports help analysts determine the behavior of the source system during an intrusion.

7. Identifying Suspicious Source Ports

Certain patterns in source ports can indicate suspicious activity.

1. Sequential Source Ports

Example:

192.168.1.10:40001 → 10.0.0.5:22
192.168.1.10:40002 → 10.0.0.6:22
192.168.1.10:40003 → 10.0.0.7:22

This pattern may indicate:

Automated scanning tools
Brute force attempts

2. Same Source Port Used Repeatedly

Example:

192.168.1.10:4444 → multiple hosts

This may indicate:

Malware communication
Backdoor tools
Command-and-control connections

Some malware uses fixed ports for communication.

3. Unusual Low Source Ports

Normally:

Client source ports are high ephemeral ports

If you see:

Source Port: 22
Source Port: 80

from a client system, it may indicate:

Port spoofing
Malicious tools manipulating packets

4. Large Number of Different Source Ports

Example pattern:

192.168.1.15:50100
192.168.1.15:50101
192.168.1.15:50102
192.168.1.15:50103

This may indicate:

Automated connection attempts
Scanning tools
Malware spreading

8. Using Source Ports in Wireshark Analysis

When analyzing PCAP files, analysts often filter traffic using port numbers.

Filter by Source Port

Example filter:

tcp.srcport == 4444

This shows packets where the source port is 4444.

Filter for Multiple Source Ports

tcp.srcport >= 49152

Shows ephemeral ports.

Combine Source IP and Source Port

ip.src == 192.168.1.10 && tcp.srcport == 51544

This helps identify a specific communication session.

9. Identifying Sessions Using Source Ports

Network sessions are identified using a five-tuple:

Source IP
Destination IP
Source Port
Destination Port
Protocol (TCP/UDP)

Example:

192.168.1.10 : 51544
10.0.0.5 : 443
TCP

This combination uniquely identifies a single network connection.

10. Example of Source Port Analysis During an Intrusion

Example PCAP observation:

Source IP: 192.168.50.10
Source Port: 50321
Destination IP: 10.0.0.20
Destination Port: 445

Repeated connections appear:

Possible interpretation:

Automated attempts to connect to SMB service
Possible network scanning or worm activity

The changing source ports indicate multiple new connection attempts.

11. Relationship Between Source Port and TCP Sessions

In TCP communication, the source port is chosen during the TCP three-way handshake.

Example sequence:

Client sends SYN Src Port: 52000
Dst Port: 443
Server replies SYN-ACK Src Port: 443
Dst Port: 52000
Client sends ACK

The source port remains constant throughout the session.

12. Common Tools That Use Specific Source Ports

Some tools or malware may use specific source ports, which can help analysts detect them.

Examples:

Source Port	Possible Use
4444	Remote shells / backdoors
5555	Malware communication
Random high ports	Normal client traffic

This pattern helps analysts detect command-and-control activity.

13. Key Exam Points to Remember

For the 200-201 CBROPS exam, remember the following:

Source Port Definition

A source port is the port number used by the device that initiates the network communication.

Purpose of Source Ports

They help:

Identify the sending application
Manage multiple network sessions
Ensure responses return to the correct process

Typical Characteristics

Usually ephemeral ports (49152–65535)
Assigned dynamically by the operating system
Remain consistent during a session

In PCAP Analysis

Source ports help identify:

Connection initiator
Scanning behavior
Malware communication
Session tracking

Wireshark Indicators

Look for:

Source port field in TCP/UDP header
Patterns of port usage
Abnormal or repeating ports

Final Summary

A source port is the port number used by the sending device to initiate network communication. It allows the operating system to manage multiple connections and ensures responses return to the correct application.

During PCAP analysis, source ports help analysts:

Identify which system initiated communication
Track network sessions
Detect scanning activity
Recognize malware or suspicious traffic patterns

Understanding how source ports work is essential for network traffic analysis and intrusion investigation, making it a key concept for the Cisco CyberOps Associate (200-201 CBROPS) exam.